Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Improved Impossible Di

ff

erential Attack on Reduced Version of

Camellia-192

/

256

Ya Liu1_{, Dawu Gu}1_{, Zhiqiang Liu}1_{, Wei Li}2,3

1_{Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240 ,China,} {liuya0611, dwgu, ilu zq}@sjtu.edu.cn

2_{School of Computer Science and Technology, Donghua University, Shanghai 201620, China}

3_{Shanghai Key Laboratory of Integrate Administration Technologies for Information Security, Shanghai 200240, China} [email protected]

Abstract

As an ISO/IEC international standard, Camellia has been used various cryptographic applications. In this paper, we improve previous attacks on Camellia-192/256 with key-dependent layers FL/FL−1_{by using the intrinsic weakness}

of keyed functions. Specifically, we present the first impossible differential attack on 13-round Camellia with 2121.6 chosen ciphertexts and 2189.9 13-round encryptions, while the analysis for the biggest number of rounds in previous results on Camellia-192 worked on 12 rounds. Furthermore, we successfully attack 14-round Camellia-256 with 2122.1 chosen ciphertexts and 2229.3_{14-round encryptions. Compared with the previously best known attack on 14-round}

Camellia-256, the time complexity of our attack is reduced by 28.9_{times and the data complexity is comparable.}

Key words: Block Cipher, Camellia, Impossible Differential Cryptanalysis

1. Introduction

The 128-bit block cipher Camellia was jointly developed by NTT and Mitsubishi in 2000 [1]. It supports three kinds of key sizes, i.e., 128 bits, 192 bits and 256 bits. For simplicity, they can be usually denoted as Camellia-128, Camellia-192 and Camellia-256, respectively. Camellia adopts the basic Feistel structure with two key-dependent transformations inserted every six rounds. The goals for such a design are to provide non-regularity across rounds and to thwart future unknown attacks. In 2002, Camellia was selected as one of the CRYPTREC e-government recommended ciphers. In 2003, it was recommended in NESSIE block cipher portfolio. Finally, it was adopted as an international standard by ISO/IEC [4].

So far, a lot of researchers have used various methods to attack Camellia such as linear cryptanalysis, differential cryptanalysis, higher order differential attack, impossible differential attack and so on. Among them, most attacks involved in reduced-round Camellia without FL/FL−1 and whitening layers [5, 6, 7, 11, 14, 15, 16, 17, 18], only three attacks focused on the security of reduced-round Camellia with FL/FL−1and whitening layers [3, 9, 10], and four attacks analyzed the security of reduced-round Camellia with FL/FL−1layers [8, 13, 2, 12]. For Camellia with

FL/FL−1_{layers, Li et al. attacked 12-round Camellia-192 with 2}120.1_{chosen plaintexts and 2}184_{encryptions and}

14-round Camellia-256 with 2120_{chosen ciphertexts and 2}250.5_{encryptions [8], lv et al. mounted impossible differential}

attacks on 10-round Camellia-128 with 2118_{chosen plaintexts and 2}118_{encryptions and 11-round Camellia-192 with}

2118_{chosen plaintexts and 2}163.1_{encryptions [13], Bai et al. improved Li’s results to attack 12-round Camellia-192}

with 2120.6_{chosen plaintexts and 2}171.4_{encryptions and 14-round Camellia-256 with 2}121.2_{chosen plaintexts and 2}238.2

encryptions [2], lv et al. gave higher-order meet-in-the-middle attacks on 10-round Camellia-128 with 293 _chosen

plaintexts and 2118.6_{encryptions, 11-round Camellia-192 with 2}78_{chosen plaintexts and 2}187.4_{encryptions as well as}

12-round Camellia-256 with 294_{chosen plaintexts and 2}237.3_{encryptions [12].}

Impossible differential cryptanalysis was independently proposed by Knudsen and Biham. Unlike traditional differential cryptanalysis, the adversary requires to construct two truncated differentials with probability one which meet a contradiction in the middle. This new differential with probability zero is called an impossible differential. By using this impossible differential, we can remove all wrong candidates of the secret key until the correct one is left.

Table 1: Summary of attacks on reduced-round Camellia-192/256 without the whitening layers

Key Size Rounds Attack Type Data Time(Enc) Memory (Bytes) Source

Camellia-192 11 Impossible DC 2118_{CP 2}163.1 ₂141 _[12]

11 HO-MitM 294_{CP 2}180.2 ₂174 _[13]

11 Impossible DC 2120.4_{CP 2}121.7 ₂115.5 _[2]

12 Impossible DC 2120.1_{CP 2}184 ₂124.1 _[8]

12 Impossible DC 2120.6_{CP 2}171.4 ₂171.6 _[2]

12 Impossible DC 2124.35_{CP 2}148.5 ₂132.7 _{Section 3.1}

13 Impossible DC 2121.6_{CC 2}189.9 ₂101.6 _{Section 3.2}

Camellia-256 12 HO-MitM 294_{CP 2}237.3 ₂174 _[13]

14 Impossible DC 2120_{CC 2}250.5 ₂125 _[8]

14 Impossible DC 2121.2_{CC 2}238.2 ₂180.2 _[2]

14 Impossible DC 2122.1_{CC 2}229.3 ₂134.1 _{Section 4}

DC: Differential Cryptanalysis; CP/CC: Chosen Plaintexts/Chosen Ciphertexts;

HO-MitM: Higher Order Meet-in-the-Middle Attack; Enc: Encryptions;

As one of the most powerful methods, impossible differential cryptanalysis is used to analyze the securities of many block ciphers such as AES, CLEAFIA, ARIA, MISTY1 and so on.

In this paper, we improve previous attacks on Camellia-192/256 with two key-dependent layers FL/FL−1 by using the intrinsic weakness of keyed transformations. We first attack 12-round Camellia-192 with 2124.35 chosen plaintexts, 2148.5 12-round encryptions and 2132.7 bytes. Compared with the previously fastest known attack on 12-round Camellia-192, the time and memory complexities of our attack are reduced by 222.9times and 238.9times and the data complexity is comparable. Second, we further improve our result and derive the first attack on 13-round Camellia-192 with 2121.6 _{chosen ciphertexts, 2}189.9 _{13-round encryptions and 2}101.6 _{bytes, while the analysis for the biggest}

number of rounds in previous results on Camellia-192 worked on 12 rounds. Finally, we propose improved impossible differential cryptanalysis of 14-round Camellia-256 with 2122.1 _{chosen ciphertexts, 2}229.3 _{14-round encryptions and}

2134.1_{bytes, which is 2}8.9 _{times faster than previously best known attack on 14-round Camellia-256. In table 1, we}

summarize our results along with the former known ones on Camellia-192/256.

The remainder of this paper is organized as follows. Section 2 introduces some preliminaries. Section 3 gives a chosen plaintext attack on 12-round Camellia-192 and a chosen ciphertext attack on 13-round Camellia-192. Section 4 presents an impossible differential attack on 14-round Camellia-256. Section 5 summarizes this paper.

2. Preliminaries

2.1. Some Notations

- P,C: the plaintext and the ciphertext;

- Li−1,Ri−1: the left half and the right half of the i-th round input;

-∆Li−1,∆Ri−1: the left half and the right half of the input difference in the i-th round;

- kw1|kw2,kw3|kw4: the pre-whitening key and the post-whitening key;

- ki,kli(1≤i≤6): the subkey used in the i-th round and 64-bit keys used in the FL/FL−1layers;

- Sr,∆Sr: the output and the output difference of the S-boxes in the r-th round;

- X|Y,X≪ j: the concatenation of X and Y, left rotation of X by j bits;

- XL(n

2),XR(

n

2): the left half and the right half of a n-bit word X;

- Xi,X{i,j}, X{i∼j}: the i-th byte, the i-th and j-th bytes and the i-th to the j-th bytes of X;

- Xi_,X(i,j)_,X(i∼j)_{: the i-th bit, the i-th and j-th bits and the i-th to j-th bits of X;}

-⊕,∩,∪: bitwise exclusive-OR (XOR), AND, and OR operations, respectively; - 0(i),1(i): consecutive i bits are zero or one.

2.2. The Block Cipher Camellia

Camellia [1] is a 128-bit block cipher. It adopts the basic Feistel structure with the key-dependent functions

FL/FL−1 _{inserted every 6 rounds. Camellia supports variable key sizes and the number of rounds depends on the}

key size, i.e., 18 rounds for a 128-bit key size and 24 rounds for 192/256-bit key sizes. The encryption algorithm of Camellia can be expressed as follows:

1. L0|R0=P⊕(kw1|kw2),

2. For r=1 to Nr:

if r,_{6k,where k=1,· · ·,Nr/6−1, then Lr=Rr−1⊕F(Lr−1,kr),Rr=Lr−1.}

else L′

r=Rr−1⊕F(Lr−1,kr),R′r=Lr−1; Lr=FL(L′r,klr/3−1),Rr=FL−1(L′r,klr/3);

3. C=(RNr⊕kw3)|(LRNr⊕kw4).

Here the round function includes an XOR operation with a round key, an nonlinear transformation S and a linear function P. Among it, the linear transformation P and its inverse function P−1_{are defined as follows:}

z1=y1⊕y3⊕y4⊕y6⊕y7⊕y8; y1=z2⊕z3⊕z4⊕z6⊕z7⊕z8;

z2=y1⊕y2⊕y4⊕y5⊕y7⊕y8; y2=z1⊕z3⊕z4⊕z5⊕z7⊕z8;

z3=y1⊕y2⊕y3⊕y5⊕y6⊕y8; y3=z1⊕z2⊕z4⊕z5⊕z6⊕z8;

z4=y2⊕y3⊕y4⊕y5⊕y6⊕y7; y4=z1⊕z2⊕z3⊕z5⊕z6⊕z7;

z5=y1⊕y2⊕y6⊕y7⊕y8; y5=z1⊕z2⊕z5⊕z7⊕z8;

z6=y2⊕y3⊕y5⊕y7⊕y8; y6=z2⊕z3⊕z5⊕z6⊕z8;

z7=y3⊕y4⊕y5⊕y6⊕y8; y7=z3⊕z4⊕z5⊕z6⊕z7;

z8=y1⊕y4⊕y5⊕y6⊕y7; y8=z1⊕z4⊕z6⊕z7⊕z8;

where (y1,y2,y3,y4,y5,y6,y7,y8) and (z1,z2,z3,z4,z5,z6,z7,z8) are the input and output of P. The key-dependent

function FL : (XL|XR,klL|klR)7→YL|YR,where YR =((XL∩klL)≪1)⊕XR,YL=(YR∪klR)⊕XL.

Key Schedule of Camellia-192/256. The key schedule of Camellia applies a 6-round Feistel structure to derive two 128-bit intermediate variables KA and KBfrom 128-bit variables KL and KR, and then all round subkeys can be

generated by KL,KR,KAand KB. For Camellia-192, the left 128-bit of the key K is used as KL, and the concatenation

of the right 64-bit of the key K and the complement of the right 64-bit of the key K is used as KR. For Camellia-256,

the main key K is separated into two 128-bit variables KLand KR, i.e., K =KL|KR.

2.3. 8-Round Impossible Differentials of Camellia

In [10], Liu et al. presented 8-round impossible differentials of Camellia with two FL/FL−1layers as follows:

Property 1. For an 8-round Camellia encryption with two FL/FL−1layers inserted after the first and seventh rounds, the input difference of the first round is (0|0|0|0|0|0|0|0,a|0|0|0|a′|0|0|0) and the output difference of the eighth round is (b|0|0|0|b′_{|0|0|0,0|0|0|0|0|0|0|0) with a and b being nonzero bytes and a}(1) _=b(1) _=a′(8) _=b′(8) _{=0. Four subkeys}

kli(i=1,· · ·,4) are used in two FL/FL−1layers. If a′and b′satisfy the following equations:

a′(i)=

(

0, if kl(i₁+1)=0;

a(i+1), if kl(i₁+1)=1; b

′(i)₌

(

0, if kl(i₄+1)=0;

b(i+1), if kl₄(i+1)=1; for 1≤i≤7,

then (0|0|0|0|0|0|0|0,a|0|0|0|a′|0|0|0)98 (b|0|0|0|b′|0|0|0,0|0|0|0|0|0|0|0) is an 8-round impossible differential of

Camel-lia with two FL/FL−1layers (See Fig. 1).

For each value of kl(2∼8)₁ |kl(2∼8)₄ , denote the corresponding impossible differential by∆i. Let A={∆i|0≤i≤214−1}.

All differentials of A can be divided into three cases, i.e., (1) a′=b′=0, (2) a′=0 and b′,_{0, or a}′,_{0 and b}′_=0,

(3) a′_{,0 and b}′_{,0. Since property 1 only gave the existence of an 8-round impossible differential of Camellia for}

any fixed key value, they proposed an attack strategy to recover the master key in the following:

The Attack Strategy. Select a differential∆i from A. Based on it, we mount an impossible differential attack on

reduced-round Camellia given enough plaintext pairs.

- If one subkey will be kept, we recover the secret key by the key schedule and verify whether it is correct by some plaintext-ciphertext pairs. If success, halt this attack. Otherwise, try another differential∆j( j,i) of A and perform a

new impossible differential attack.

- If no subkeys or more than one subkeys are left, select another differential of A to execute a new impossible differential attack.

Figure 1: The Structure of 8-Round Impossible Differentials of Camellia

3. Impossible Differential Cryptanalysis of Reduced-Round Camellia-192

In this section, we mount a chosen plaintext attack on 12-round Camellia-192 from rounds 3 to 14 and a chosen ciphertext attack on 13-round Camellia-192 from rounds 3 to 15. Some previous skills such as building hash tables and the early abort technique [11] are also adopted. Moreover, we make full use of the corresponding subkey for each 8-round differential of A to reduce the guessed key space.

3.1. Impossible Differential Cryptanalysis of 12-Round Camellia-192

By setting three rounds at the top and one round at the bottom of 8-round differentials, we attack 12-round Camellia-192 from rounds 3 to 14. We divide all differentials of A into three cases to discuss our attack as follows.

Case 1 a′=b′=0. The 8-round impossible differential is∆ =(0|0|0|0|0|0|0|0,a|0|0|0|0|0|0|0)→8(b|0|0|0|0|0|0|0,0|0|

0|0|0|0|0|0),where a and b are non-zero bytes and a(1) = b(1) = 0. At this time, the corresponding subkey is kl(2∼8)₁ |kl(2∼8)₄ =K_R(31∼37)|K_L(125∼127)|K_L(0∼3)=0(14). See Figure 2.

1. Choose 29.5_{structures of plaintexts. Each structure contains 2}111_{plaintexts with the form: (P(α}

1|α2|α3|α4|α5|x1|x2|

α6), α7|α8|α9|α10|α11|α12|α13|α14),whereα(1)₄ ,x1,x2are fixed andαi(1≤ i≤ 14,i ,4),α(2∼8)₄ take all possible

values. Clearly, each structure can form 2221_{plaintext pairs. In total, we collect 2}230.5 _{plaintext pairs. The left}

halves of these plaintext differences satisfy P(g1|g2 ⊕a|g3⊕a|a|g4⊕a|0|0|g5⊕a) with a and gi(1 ≤ i ≤ 5)

being nonzero bytes and a(1)_{=0. Encrypt them and keep those pairs whose ciphertext differences have the form}

(P(h|0|0|0|0|0|0|0),b|0|0|0|0|0|0|0) with b and h being nonzero bytes and b(1) _{=0. The probability of this event is}

about 2−113_{. Therefore, the expected number of remaining pairs is about 2}117.5_.

2. Guess K3,3=K_R(31∼38). We have known the value of K_3,3(1∼7)from kl(2∼8)₁ . Thus we only guess one bit K_3,3(8). For each

remaining pair, compute the value of (S3,3,S′_3,3) and check whether the equation∆S3,3 =(P−1(∆PR))3holds. If

∆S3,3,(P−1(∆PR))3for some pair, then this pair will be discarded. The probability is about 2−8. So the expected

number of remaining pairs is approximately 2109.5_{. Next guess K}

3,lfor 2 ≤l ≤8(l,3). For every remaining

pair, calculate the value of (S3,l,S′_3,l). Discard those pairs satisfying∆S3,l,(P−1(∆PR))l. About 261.5pairs will

be kept. Finally, guess K3,1and calculate the inputs of the 4-th round.

Figure 2: Impossible Differential Attack on 12-Round Camellia for Case 1

3. According to K4 = K (15∼63) R |K

(0∼14)

R and K14,1 = K

(60∼63) R |K

(0∼3)

R , we compute the value of (S4,S′4,∆S14,1) for

every remaining pair. Keep those pairs satisfying these equations∆S4,1 =(P−1(∆PL))1,∆S4,l=(P−1(∆PL))l⊕

(P−1_(∆P

L))4(l=2,3,5,8) and∆S14,1 =(P−1(∆CR))1. The probability of this event is about 2−48. The expected

number of remaining pairs is approximately 213.5_{. For each remaining pair, calculate the inputs of the 5-th round.}

4. Guess K5,1. Compute the value of (∆S5,1,(P−1(∆R4))1) for each remaining pair. If∆S5,1=(P−1(∆R4))1for some

pair, we remove the guessed subkey. The probability is about 2−8_{. So the expected number of remaining wrong}

subkey is approximately 265_×(1−2−8₎213.5

≈1 if∆is an 8-round impossible differential. When only one joint subkey is kept, we recover the secret key and verify whether it is correct, else try another differential of A.

Case 2 a′ _{= 0 and b}′ _{, 0, or a}′ _{, 0 and b}′ _{=0. We only attack a special scenario a}′ _{= 0 and b}′(1∼7) _{= b}(2∼8)_.

Others can be attacked in the similar way. At this time, the differential is∆′ = (0|0|0|0|0|0|0|0,a|0|0|0|0|0|0|0)→8

(b|0|0|0|b′|0|0|0,0|0|0|0|0|0|0|0),where a, b and b′are non-zero bytes, b′(1∼7)=b(2∼8)and a(1) =b(1) =b′(8)=0. The corresponding subkey is kl₁(2∼8)|kl(2∼8)₄ =K_R(31∼37)|K_L(125∼127)|K(0∼3)_L =0(7)|1(7).

1. Select 2120.7 _{plaintexts which have the same structure as above Case 1. We totally collect 2}230.7_{plaintext pairs.}

Encrypt them and obtain the corresponding ciphertext pairs. If the ciphertext difference of some pair does not satisfy (P(h|0|0|0|h′_{|0|0|0),b|0|0|0|b}′_{|0|0|0) with b,b}′_{,h and h}′_{being non-zero bytes, b}′(1∼7) _=b(2∼8)_{and b}(1) ₌

b′(8)=0, we get rid of this pair. The expected number of remaining pairs is about 2125.7. 2. Guess K3,3,K3,2,K3,{4∼8}and K3,1in turn. After this test, about 269.7pairs will be kept.

3. We have known K4 and K14,l(l = 1,5). For each remaining pair, we compute the values of (S4,S′₄) and

(S14,l,S′_14,l). This step is similar to step 3 of Case 1. The expected number of remaining pairs is about 213.7.

4. Guess K15,1as before. If∆′is an 8-round impossible differential, then the expected number of remaining wrong

subkeys is approximately 273_×(1−2−8₎213.7

≈1. We only consider the scenario that one joint subkey will be kept. At this time, we recover the secret key by the key schedule and verify whether it is correct. If this key is correct, then we halt the attack, else try another differential of A.

Case 3 a′ _{, 0 and b}′ _{, 0. We only attack an example a}′(1∼7) _{= a}(2∼8) _{and b}′(1∼7) _{= b}(2∼8)_{. The differential is}

∆′′ _{=(0|0|0|0|0|0|0|0,a|0|0|0|a}′_|0|0|0)→

8(b|0|0|0|b′|0|0|0,0|0|0|0|0|0|0|0),where a, a′, b and b′are non-zero bytes and

a(1)_=b(1)_=a′(8)_=b′(8)_{=0. The corresponding subkey is kl}(2∼8) 1 |kl

(2∼8) 4 =K

(31∼37) R |K

(125∼127) L |K

(0∼3) L =1(14).

1. Select 2124.35 _{plaitexts including those plaintexts in Cases 1 and 2. Encrypt them to obtain the corresponding}

ciphertexts. Guess 11 bits of KR, i.e., K14,1 = K_R(60∼63)|K_R(0∼3) and K(1∼3)_14,5 = K_R(28∼30). Since K_R(31∼35) = 1(5),

we can get the value of K_14,5(4∼8). Partially decrypt the ciphertexts to derive the inputs of the 14-th round. In-sert these plaintext-ciphertexts into a hash table indexed by 121-bit value of (L13,{2∼4}, L13,{6∼8}, L

(1) 13,1, L

(8) 13,5,

L(2∼8)_13,1 ⊕L(1∼7)_13,5 ,R13). Any two plaintext-ciphertexts in the same row of the hash table forms a pair satisfying

(∆L13,∆R13) = (b|0|0|0|b′|0|0|0,0|0|0|0|0|0|0|0) with b(1) =b′(8) = 0 and b(2∼8) = b′(1∼7). Finally, the expected

number of remaining pairs is about 2126.7_.

Table 2: Time Complexity of Cases 3

Step Time Complexity (1-round encryptions)

1 2124.35_×12+2124.35_×211₌₂135.35

2 (2126.7_×212₊₂118.7_×215₊₂110.7_×220₊₂102.7_×225₊₂94.7_×233₊₂86.7_×241₊₂78.7_×257_×2)×2×1

8 =2 137

3 278.7_×2×257₌₂136.7

4 (221.7_×2×265₊₂73_×(1+(1−2−8_{)+· · ·+(1−2}−8₎213.7

))×1₈ ≈284.7

2. Guess K3,3=K (31∼38)

R as before. After this test, about 2

118.7_{pairs will be kept. Next guess K}

3,7,K3,6,K3,2in turn.

Because K_3,7(1∼5)=K(4)_14,1|K_14,1(5∼8)=K_R(63)|K_R(0∼3), K_3,6(6∼8)=K_14,1(1∼3)=K_R(60∼62)and K(6∼8)_3,2 =K_14,5(1∼3) =K_R(28∼30), we only guess partial bits of (K3,7,K3,6,K3,2). Keep these pairs satisfying∆S3,l=(P−1(∆PR))l(l=7,6,2). The expected

number of remaining pairs is about 294.7_{. Finally, guess K}

3,i(i = 4,8). For each remaining pair, we compute

(S3,i,S′_3,i) and test whether∆S3,iis equal to (P−1(∆PR))i. If∆S3,i,(P−1(∆PR))ifor some pair, then this pair will

be discarded. About 278.7_{pairs will be kept. Guess K}

3,{1,5}and compute the inputs of the 4-th round.

3. Since K4 =(KR ≪ 15)R, we can calculate (S4,S₄′) for each remaining pair. Keep these pairs satisfying these

equations∆S4,1 =(P−1(∆PL))1,∆S(1)_4,8 =(P−1(∆PL))(1)₈ ,∆S4,i=(P−1(∆PL))i⊕(∆S4,8⊕(P−1(∆PL))8)(2∼8)|0(i=

6,7) and∆S4,j =(P−1(∆PL))j⊕∆S4,8⊕(P−1(∆PL))8⊕∆S4,7⊕(P−1(∆PL))7( j =2,3,4,5). The probability of

this event is approximately 2−57_{. So about 2}21.7_{will be kept.}

4. Guess K5,5. For each remaining pair, we calculate (S5,5,S′_5,5) and check whether∆S5,5is equal to (P−1(∆R4))5.

If∆S5,5,(P−1(∆R4))5for one pair, this pair will be discarded. About 213.7pairs will be kept. Next guess K5,1as

before. If one subkey is left, we retrieve the master key, else try another differential of A.

Complexity. We list the time complexity of each step for Case 3 in table 2. We find the time complexity of Case 3 is determined by steps 1 and 2, i.e., 2138.1 _{1-round encryptions. Similarly, we compute the time complexities of}

Cases 1 and 2, i.e., 2116.5_{1-round encryptions and 2}124.5_{1-round encryptions. Therefore, the whole time complexity}

is approximately 214×2138.1×₁₂1 =2148.512-round encryptions. The data and memory complexities are 2124.35chosen plaintexts and 2126.7×4×24=2132.7bytes.

3.2. Impossible Differential Cryptanalysis of 13-Round Camellia-192

By adding one round at the bottom of above 12-round Camellia-192, we mount a chosen ciphertext attack on 13-round Camellia-192 from rounds 3 to 15.

Case 1 a′=b′=0. The 8-round differential and the corresponding subkey are∆and kl(2∼8)₁ |kl(2∼8)₄ =K_R(31∼37)|K(125∼127)_L |

K_L(0∼3)=0(14), respectively.

1. Choose 266.5_{structures of ciphertexts. Each structure contains 2}55_{ciphertexts with the form (P(α}

1|α2|α3|α4|α5|x1|

x2|α6),P(α7|x3|x4|x5|x6|x7|x8|x9)), whereαi(1≤i≤7,i ,4), α(2∼8)₄ take all possible values, xj(1≤ j ≤9), α(1)₄

are fixed. Clearly, each structure forms 2109 _{ciphertext pairs. We totally collect about 2}175.5 _{ciphertext pairs}

whose differences satisfy (P(h1|h2⊕b|h3⊕b|b|h4⊕b|0|0|h5⊕b),P(h|0|0|0|0|0|0|0)) with h,hi,b being non-zero

bytes and b(1)_=0.

2. Guess remaining 57 bits of KR. For each structure, we encrypt plaintexts to derive the inputs of the 5-th round.

Insert these plaintext-ciphertexts into a hash table indexed by the value of (L(1)_4,1,L4,{2∼8},(P−1(R4)){2∼8}). Any two

plaintexts lying in the same row of the hash table forms a pair whose input difference in the 5-th round satisfies (a|0|0|0|0|0|0|0,P(g|0|0|0|0|0|0|0)). So the expected number of remaining pairs is about 262.5.

3. Guess K15,1,K15,4 and K15,{2,3,5,8} in turn. For each remaining pair, compute the value of (S15,i,S′_15,i) for 1 ≤

i ≤5 and i =8. Keep these pairs satisfying the equations∆S15,1 = (P−1(∆CL))1 and∆S15,l =(P−1(∆CL))l⊕

(P−1_(∆C

L))4(l = 2,3,5,8). The expected number of remaining pairs is about 222.5. Next guess K15,{6,7} and

calculate the outputs of the 14-th round.

4. Since K14,1 =K_R(60∼63)|K_R(0∼3), we calculate the value of∆S14,1for each remaining pair. Keep these pairs satisfying

∆S14,1=(P−1(∆CR))1. The expected number of remaining pair is about 214.5.

5. Guess K5,1as step 4 of Case 1 in section 3.1. If one joint subkey is left, then we recover the master key, else try

another differential of A.

Case 2 a′=0 and b′,_{0, or a}′,_{0 and b}′_{=0. We attack the same example as Case 2 in section 3.1. The 8-round}

differential and the corresponding subkey are∆′and kl(2∼8)₁ |kl(2∼8)₄ =K_R(31∼37)|K(125∼127)_L |K(0∼3)_L =0(7)|1(7), respectively.

1. Select 241.6_{structures of ciphertexts. Each structure contains 2}80_{ciphertexts, the right halves of whose differences}

have the form P(h|0|0|0h′|0|0|0) with h and h′being non-zero bytes. Decrypt them and obtain the corresponding plaintexts.

2. As step 2 of Case 1, we guess 57 bits of KRand build 241.6hash tables to collect some plaintext-ciphertext pairs

satisfying (∆L4,∆R4) =(a|0|0|0|0|0|0|0,P(g|0|0|0|0|0|0|0)) with a and g being non-zero bytes and a(1) =0. The

expected number of remaining pairs is about 287.6_.

3. Guess K15,1. For each remaining pair, we calculate the value of (S15,1,S_15,1′ ) and verify whether the equation

∆S15,1 = (P−1(∆CL))1 holds. If∆S15,1 =(P−1(∆CL))1for some pair, this pair will be kept. Next guess K15,8,

and compute the value of (S15,8,S_15,8′ ) for every remaining pair. If∆S_15,8(1) , (P−1(∆CL))(1)₈ for one pair, then

this pair will be discarded. Finally, guess K15,l(2≤l≤7). Keep those pairs satisfying these equations∆S15,i =

(P−1_(∆C

L))i⊕(∆S15,8⊕(P−1(∆CL))8)(2∼8)|0(i=6,7) and∆S15,j=(P−1(∆CL))j⊕∆S15,8⊕(P−1(∆CL))8⊕∆S15,7⊕

(P−1_(∆C

L))7( j=2,3,4,5). In total, the expected number of remaining pairs is about 230.6.

4. Because K14,1 = K_R(60∼63)|K_R(0∼3)and K14,5 = K_R(28∼35), we compute (S14,{1,5},S′_14,{1,5}) for each remaining pair.

Discard those pairs satisfying∆S14,{1,5},(P−1(∆CR)){1,5}. Finally, about 214.6pairs will be kept.

5. Guess K5,1as before. If∆′is an impossible differential, the expected number of remaining wrong subkey is about

2129×(1−2−8)214.6≈1. We only recover the secret key if one joint subkey is kept.

Case 3 a′ _{,0 and b}′_{,0. We attack an example, i.e., the 8-round differential is∆}′′_{. The corresponding subkey is}

kl(2∼8)₁ |kl(2∼8)₄ =K_R(31∼37)|K_L(125∼127)|K_L(0∼3)=1(14).

1. Choose the same structures of ciphertexts as Case 2. We totally collect 2200.6ciphertext pairs.

2. Like step 2 of Case 2, guess the remaining 57 bits of KR. For each structure, we build a hash table of

plaintext-cphertexts indexed by the value of (L(1)_4,1, L(8)_4,5, L(2∼8)_4,1 ⊕L(1∼7)_4,5 , L4,{2∼4}, L4,{6∼8},(P−1(R4)){2∼4},(P−1(R4)){6∼8}). Then

any two plaintexts in the same row of one hash table forms a pair whose input difference in the 5-th round has the form (a|0|0|0|a′_{|0|0|0,P(g|0|0|0|g}′_{|0|0|0)) with a,a}′_{,g and g}′_{being non-zero bytes, a}(2∼8) _{= a}′(1∼7) _and

a(1)_=a′(8)_{=0. Therefore, the expected number of remaining pairs is about 2}95.6_.

3. As steps 3 and 4 of Case 2 in this section, guess K15and K14,{1,5}. Finally, about 222.6pairs will be kept.

4. This step is the same as step 5 of Case 3 in section 3.1. The scenario that one subkey is left will be considered.

Complexity. For three cases, the time complexity of Case 3 is maximal, i.e., about 2121.6×257×2≈2179.61-round encryptions. Therefore, the total time complexity is approximately 214 ×2179.6×₁₃1 =2189.913-round encryptions. The date and memory complexities are 2121.6chosen ciphertexts and 295.6×4×24=2101.6bytes, respectively.

4. Impossible Differential Cryptanalysis of 14-Round Camellia-256

In this section, we mount an impossible differential attack on 14-round Camellia-256 from rounds 10 to 23. Since the attack procedure is similar to above section, we will briefly introduce the whole attack as follows.

Case 1 a′=b′=0. The 8-round differential and the corresponding subkey are∆and kl(2∼8)₃ |kl(2∼8)₆ =K(61∼67)_L |K_A(14∼20) =0(14), respectively.

1. Select 267_{structures of plaintexts. Each structure contains 2}55_{plaintexts with the form (P(α}

1|x1|x2|x3|x4|x5|x6|x7),

P(α2|α3α4|α5|α6|x8|x9|α7)), whereαi(1≤i≤7,i,5) andα₅(2∼8)take all possible values andα(1)₅ and xj(1≤ j≤

9) are fixed.

2. Guess 66 bits of KL, i.e., K_L(109∼127)|K_L(0∼46). Since K10 =(KL ≪45)R =K_L(109∼127)|K_L(0∼44)and K23 =(KL ≪

111)L=K (111∼127) L |K

(0∼46)

L , we partially encrypt plaintexts to obtain inputs of the 11-th round and decrypt

corre-sponding ciphertexts to derive outputs of the 22-nd round. For each structure, we insert plaintext-ciphertexts into a hash table indexed by the value of (L10,{2∼8},(P−1(R10)){2∼8},(P−1(R22))(1)₄ ,(P−1(R22)){6,7}). Any two

of its output difference in the 22-nd round satisfy (a|0|0|0|0|0|0|0,P(g|0|0|0|0|0|0|0)) and P(h1|h2⊕b|h3⊕b|b|h4⊕

b|0|0|h5⊕b) with a,g,b,hi(1≤i ≤5) being non-zero bytes and a(1) =b(1) =0. Thus the expected number of

remaining pairs is about 2176_×2−57₌₂119_.

3. Guess K11,1 = K_A(45∼52). For each remaining pair, we calculate∆S11,1. Keep these pairs satisfying∆S11,1 =

(P−1(∆R10))1. About 2111pairs will be kept.

4. Because K22,3=K_A(46∼53), we only guess one bit of K22,3, i.e., K_22,3(8) =K_A(53). For each remaining pair, we calculate

the value of (S22,3,S_22,3′ ). Keep those pairs satisfying∆S22,3=(P−1(∆R21))3. The expected number of remaining

pairs is about 2103. Next guess K22,2 =K_A(38∼45). In fact, we only guess 7 bits of K22,2because we have known

the value of K_22,2(8) . Keep those pairs satisfying∆S22,2 =(P−1(∆R21))2. The expected number of remaining pairs

is about 295. Finally, guess K22,ifor 4≤i≤8 in turn. Discard those pairs satisfying∆S22,i,(P−1(∆R21))i. The

expected number of remaining pairs is about 255. Guess K22,1and compute the inputs of the 21-st round.

5. Guess K21,1, K21,4and K21,j( j=2,3,5,8) in turn. For each remaining pair, we compute the value of (S21,j,S′_21,j).

Keep those pairs satisfying∆S21,1 = (P−1(∆R20))1 and∆S21,j = (P−1(∆R20))j⊕(P−1(∆R20))4. The expected

number of remaining pairs is about 215_{. Finally, guess K}

21,{6,7} =K (6∼13) A |K

(14∼21)

A . As a matter of fact, we only

guess 9 bits because we have known the value of K_A(14∼20). Compute the outputs of the 20-th round.

6. Guess K20,1. For each remaining pair, we calculate the value of (∆S20,1,(P−1(∆R19))1). Remove these guessed

subkeys such that∆S20,1 is equal to (P−1(∆R19))1for one pair. If∆is an 8-round impossible differential, the

expected number of remaining wrong subkeys is about 2195×(1−2−8)215 ≈1. We recover the secret key from this guessed subkey when one subkey is left.

Case 2 a′ _{=0 and b}′ _{, 0, or a}′ _{,0 and b}′ _{=0. We attack one example, i.e., the 8-round differential is∆}′_{. The}

corresponding subkey is kl(2∼8)₃ |kl(2∼8)₆ =K_L(61∼67)|K_A(14∼20)=0(7)|1(7).

1. Choose 267.1_{structures of plaintexts, which have the same form as above Case 1 in this section.}

2. Guess K10,K23and K11,1, i.e., 66 bits of KLand 8 bits of KA. For each plaintext of any structure, compute outputs

of the 11-th and 22-nd rounds. Insert these plaintext-ciphertexts into a hash table indexed by (L11,R11,{2∼8}).

Any two pairs in the same row of the hash table forms a pair whose output difference in the 11-th round satisfies (0|0|0|0|0|0|0|0,a|0|0|0|0|0|0|0). The expected number of remaining pairs is approximately 267.1+109_×2−48₌₂128.1_.

3. Guess K22,3, K22,2, K22,i(i = 4,6,7,8) in turn. For each remaining pair, calculate the intermediate value of

(S22,j,S′_22,j) (2 ≤ j ≤8,j ,5). Keep those pairs satisfying∆S22,j =(P−1(∆R21))j. The expected number of

remaining pairs is about 280.1. Guess K22,{1,5}and compute the outputs of the 21-st round.

4. Guess K21,1,K21,7,K21,l(2 ≤ l ≤ 8,l , 7) in turn. Keep those pairs satisfying these equations∆S21,1 =

(P−1_(∆R

20))1,∆S(8)_21,7 =(P−1(∆R20))(8)₇ ,∆S21,6= ∆S21,7⊕(P−1(∆R20))7⊕(P−1(∆R20))6,∆S21,8=(P−1(∆R20))8⊕

0|(∆S21,7⊕(P−1(∆R20))7)1∼7,∆S21,i=(P−1(∆R20))i⊕∆S21,7⊕(P−1(∆R20))7⊕∆S21,8⊕(P−1(∆R20))8(2≤i≤5).

The expected number of remaining pairs is about 223.1_.

5. Guess K20,5. Keep those pairs satisfying∆S20,5 =(P−1(∆L20))5. About 215.1pairs will be left. Next guess K20,1.

If∆S20,1 =(P−1(∆L20))1for one pair, we remove this guessed subkey. The expected number of remaining wrong

subkeys is about 2203_×(1−2−8₎215.1

≈1 if∆′_{is an impossible differential. When one subkey is left, we recover}

the secret key by the key schedule.

Case 3 a′ _{,0 and b}′ _{, 0. We attack the special example, i.e., the 8-round differential is∆}′′_{. The corresponding}

subkey is kl₃(2∼8)|kl(2∼8)₆ =K_L(61∼67)|K(14∼20)_A =1(14).

1. Select 242.1structures of plaintexts. Each structure contains 280plaintexts with the form (P(α1|x1|x2|x3|α2|x4|x5|x6),

α3|α4|α5|α6|α7|α8|α9|α10), whereαi(1≤i≤10) take all possible values and xj(1≤j≤6) are fixed.

2. Guess K10,K23and K11,{1,5}as before. Partially encrypt the plaintexts to derive outputs of 11-th round and decrypt

the corresponding ciphertexts to get outputs of 22-nd round. Insert these plaintext-ciphertexts into the hash table indexed by (L11, R(1)_11,1, R11,{2∼4}, R8_11,5, R11,{6∼8}, R(2∼8)_11,1 ⊕R(1∼7)_11,5 ). Any two plaintext-ciphrtetxs in the same row of the

hash table forms a pair whose output difference in the 11-th round have the form (0|0|0|0|0|0|0|0,a|0|0|0|a′|0|0|0) with a(1)=a′(8)=0 and a(2∼8)=a′(1∼7). The expected number of remaining pairs is about 242.1+159×2−73=2128.1. 3. Guess K22,K21,K20,{1,5}as above Case 2. Finally, we recover the secret key by the key schedule when one joint

Complexity. Similarly, we analyze the time complexity of each case. We find that the time complexity of Case 3 is maximal, i.e., 2215.314-round encryptions. Thus the total time complexity is about 2229.3 14-round encryptions. The data and memory complexities are 2122.1_{chosen plaintexts and 2}134.1_bytes.

5. Conclusion

In this paper, we have presented the best known attacks on Camellia-192/256 by making full use of the relation between the 8-round differentials of the set A and the values of the subkey. On the one hand, we mount a chosen plain-text attack on 12-round Camellia-192 from rounds 3 to 14 and a chosen cipherplain-text attack on 13-round Camellia-192 from rounds 3 to 15. The time complexity of our attack on 12-round Camellia-192 is about 2148.5_12-round

encryp-tions, which is 222.9_{times faster than previously known best results on 12-round Camellia-192. The corresponding}

memory complexity is about 2132.7_{bytes, which is 2}38.9_{times smaller than previously known best results on 12-round}

Camellia-192. More importantly, the attack on 13-round Camellia-192 is presented for the first time. On the other hand, we successfully mount an improved impossible differential attack on 14-round Camellia-256 with 2122.1_chosen

ciphertexts, 2229.3_{14-round encryptions and 2}134.1_{bytes. Compared with the previously fastest known attack on}

14-round Camellia-256, the time and memory complexities of our attack are reduced by 28.9_{and 2}46.1_{times and the data}

complexity is comparable.

References

[1] Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S.E. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 2012, pp. 39–56. Springer (2000)

[2] Bai, D., Li, L.: New impossible differential attacks on camellia. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC. Lecture Notes in Computer Science, vol. 7232, pp. 80–96. Springer (2012)

[3] Chen, J., Jia, K., Yu, H., Wang, X.: New impossible differential attacks of reduced-round Camellia-192 and Camellia-256. In: Parampalli, U., Hawkes, P. (eds.) ACISP. Lecture Notes in Computer Science, vol. 6812, pp. 16–33. Springer (2011)

[4] International Standardization of Organization (ISO): International standard - ISO/IEC 18033-3. Tech. rep., Information technology - Security techniques - Encryption algrithm - Part 3: Block Ciphers (July 2005)

[5] Lee, S., Hong, S., Lee, S., Lim, J., Yoon, S.: Truncated differential cryptanalysis of Camellia. In: Kim, K. (ed.) ICISC. Lecture Notes in Computer Science, vol. 2288, pp. 32–38. Springer (2001)

[6] Lei, D., Li, C., Feng, K.: New observation on Camellia. In: Preneel, B., Tavares, S.E. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 3897, pp. 51–64. Springer (2005)

[7] Lei, D., Li, C., Feng, K.: Square like attack on Camellia. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS. Lecture Notes in Computer Science, vol. 4861, pp. 269–283. Springer (2007)

[8] Li, L., Chen, J., Wang, X.: Security of reduced-round Camellia against impossible differential attack. IACR Cryptology ePrint Archive 2011, 524 (2011)

[9] Liu, Y., Gu, D., Liu, Z., Li, W.: Improved results on impossible differential cryptanalysis of reduced-round Camellia-192/256. Journal of Systems and Software (2012), accepted

[10] Liu, Y., Li, L., Gu, D., Wang, X., Liu, Z., Chen, J., Li, W.: New observations on impossible differential cryptanalysis of reduced-round Camellia. In: FSE (2012), to appear

[11] Lu, J., Kim, J., Keller, N., Dunkelman, O.: Improving the efficiency of impossible differential cryptanalysis of reduced Camellia and MISTY1. In: Malkin, T. (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 4964, pp. 370–386. Springer (2008)

[12] Lu, J., Wei, Y., Kim, J., Fouque, P.A.: Cryptanalysis of reduced versions of the Camellia block cipher. In: Preproceeding of SAC (2011) [13] Lu, J., Wei, Y., Kim, J., Pasalic, E.: The higher-order meet-in-the-middle attack and its application to the Camellia block cipher. In:

P-resented in part at the First Asian Workshop on Symmetric Key Cryptography (ASK 2011) (Augst 2011), a full version is available at https://sites.google.com/site/jiqiang/

[14] Mala, H., Shakiba, M., Dakhilalian, M., Bagherikaram, G.: New results on impossible differential cryptanalysis of reduced-round Camellia-128. In: Jr., M.J.J., Rijmen, V., Safavi-Naini, R. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 5867, pp. 281–294. Springer (2009)

[15] Shirai, T.: Differential, linear, boomerange and rectangle cryptanalysis of reduced-round Camellia. Proceedings of 3rd NESSIE Workshop, Munich, Germany (November 6-7 2002)

[16] Sugita, M., Kobara, K., Imai, H.: Security of reduced version of the block cipher Camellia against truncated and impossible differential cryptanalysis. In: Boyd, C. (ed.) ASIACRYPT. Lecture Notes in Computer Science, vol. 2248, pp. 193–207. Springer (2001)

[17] Wu, W., Feng, D., Chen, H.: Collision attack and pseudorandomness of reduced-round Camellia. In: Handschuh, H., Hasan, M.A. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 3357, pp. 252–266. Springer (2004)

[18] Wu, W., Zhang, W., Feng, D.: Impossible differential cryptanalysis of reduced-round ARIA and Camellia. J. Comput. Sci. Technol. 22(3), 449–456 (2007)